Dependency Track

A Carvel package for Dependency Track, a continuous SBOM Analysis Platform for managing software supply chain security risks.

🚀  Getting Started

Prerequisites

• Kubernetes 1.29+

• Carvel kctrl CLI.

• Carvel kapp-controller deployed in your Kubernetes cluster. You can install it with Carvel kapp (recommended choice) or kubectl.

  kapp deploy -a kapp-controller -y \
    -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml

Dependencies

Dependency Track requires the following packages included in the Kadras Engineering Platform and available to install from the Kadras package repository:

• cert-manager
• Contour
• secretgen-controller
• PostgreSQL Operator.

Installation

Add the Kadras package repository to your Kubernetes cluster:

kctrl package repository add -r kadras-packages \
  --url ghcr.io/kadras-io/kadras-packages \
  -n kadras-system --create-namespace

Installation without package repository

The recommended way of installing the Dependency Track package is via the Kadras package repository. If you prefer not using the repository, you can add the package definition directly using kapp or kubectl.

kubectl create namespace kadras-system
kapp deploy -a dependency-track-package -n kadras-system -y \
  -f https://github.com/kadras-io/package-for-dependency-track/releases/latest/download/metadata.yml \
  -f https://github.com/kadras-io/package-for-dependency-track/releases/latest/download/package.yml

Install the Dependency Track package:

kctrl package install -i dependency-track \
  -p dependency-track.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system

Note You can find the ${VERSION} value by retrieving the list of package versions available in the Kadras package repository installed on your cluster.

kctrl package available list -p dependency-track.packages.kadras.io -n kadras-system

Verify the installed packages and their status:

kctrl package installed list -n kadras-system

📙  Documentation

Documentation, tutorials and examples for this package are available in the docs folder. For documentation specific to Dependency Track, check out dependencytrack.org.

🎯  Configuration

The Dependency Track package can be customized via a values.yml file.

domain_name: "dependency-track.kadras.io"
ingress_issuer: "kadras-ca-issuer"
postgresql:
  instances: 3

Reference the values.yml file from the kctrl command when installing or upgrading the package.

kctrl package install -i dependency-track \
  -p dependency-track.packages.kadras.io \
  -v ${VERSION} \
  -n kadras-system \
  --values-file values.yml

Values

The Dependency Track package has the following configurable properties.

Configurable properties

Config	Default	Description
system_requirement_check	true	Whether Dependency Track will check for memory and CPU requirements at startup time.
domain_name	""	Domain name for Dependency Track. It must be a valid DNS name.
ingress_issuer	""	A reference to the ClusterIssuer to use for enabling TLS in Dependency Track.

Settings for the API Server component.

Config	Default	Description
api_server.logging.level	info	Log verbosity level. Options: trace, debug, info, warn, error.
api_server.logging.format	console	Log encoding format. Options: console, json.
api_server.metrics.enabled	true	Whether to enable the generation of Prometheus metrics.
api_server.resources.cpu	0.5	CPU requests configuration for the API Server component.
api_server.resources.memory	5Gi	Memory requests configuration for the API Server component.
api_server.limits.cpu	4	CPU limits configuration for the API Server component.
api_server.limits.memory	5Gi	Memory limits configuration for the API Server component.
api_server.storage.class_name	""	Class name for the PersistenceVolume to create.
api_server.storage.size	500Mi	Size of the PersistenceVolume to create.

Settings for the Frontend component.

Config	Default	Description
frontend.replicas	1	The number of Frontend replicas. In order to enable high availability, it should be greater than 1.
frontend.resources.cpu	0.5	CPU requests configuration for the Frontend component.
frontend.resources.memory	5Gi	Memory requests configuration for the Frontend component.
frontend.limits.cpu	4	CPU limits configuration for the Frontend component.
frontend.limits.memory	5Gi	Memory limits configuration for the Frontend component.

Settings for the corporate proxy.

Config	Default	Description
proxy.https_proxy	""	The HTTPS proxy to use for network traffic.
proxy.http_proxy	""	The HTTP proxy to use for network traffic.
proxy.no_proxy	""	A comma-separated list of hostnames, IP addresses, or IP ranges in CIDR format that should not use the proxy.

Settings for the PostgreSQL database.

Config	Default	Description
postgresql.instances	1	Number of instances for the PostgreSQL database cluster. Define at least 3 for production scenarios.
postgresql.storage.size	500Mi	Size of the PersistenceVolume to create for each PostgreSQL instance.

🛡️  Security

The security process for reporting vulnerabilities is described in SECURITY.md.

🖊️  License

This project is licensed under the Apache License 2.0. See LICENSE for more information.